Hi Guys
We recognized an anomaly after updating the UTM to 9.412-2 from 9.405-5 (I don't know when this came up - at least in 9.412-2):
SSL-VPN usage with AD-Group auth + OTP auth. -> Worked fine for 150 users in the past.
Now: Users created and prefetched after the update couldn't authenticate with OTP any more. The AUA-Log-Error states:
After many hours of "trial and error" we realized, that the user objects have been converted to lower case during prefetching. But the UTM seems to have an additional Table for the OTM-objects where the original syntax (regarding the case sensitivity) is saved. OR: It first looks up the AD via LDAP and uses the sAMAccount-Syntax to match the OTP-User which is lowered as described.
Now: During authentication the original syntax is matched to the syntax in the user object and is failing because of the missing capital letters. AD-Auth is not affected.
Solution (or workaround until this one is fixed): After prefetching -> compare the syntax and correct the wrong letters in the user object on the UTM. And Chaka! -> OTP is working again.
Since we upgraded the UTM in April and only have the problems with users which have sAMAccount-Names with capital letters, it lasted for some days until the error occured and we could find out what happened...
So for everybody who finds the log-entry "Failing OTP auth because there is no user object": Check the syntax of your sAMAccounts and equal the letters with the user object in the UTM.
My questions to the audience:
- Does anyone EXACTLY knows how OTP-Authentication works (what, when, how)?
- What do I do with that finding (except for posting it here for the community)? -> How do I raise a bug at sophos (no premium support on that box)?
So much from sunny Hamburg in Germany ;-)
Cheers, Janbo
This thread was automatically locked due to age.